[OWASP-ESAPI] About owasp-esapi-java

Matthew Presson matthew.presson at gmail.com
Tue May 26 11:36:15 EDT 2009

Sorry to have created such a firestorm, but in the end I still do not see
what hashing something multiple times buys you.  Instead, what I would
suggest as a better implementation is to pick something like SHA-256 or
SHA-512 and utilize a unique salt per user.  In addition, I would utilize
something that is never given to the user as this salt e.g. The last change
password date (stored in millis), or the internal user id (preferably also a
long value).  In this manner, I save the computations on my server every
time a user logs in (only one iteration with a unique salt instead of 1024)
while still protecting he password from rainbow tables.  Furthermore, in the
case of using the last password change date, the salt would actually change
every 90 days or whatever your password policy requires.

Any thoughts on this one?

Matt Presson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090526/16979dfe/attachment.html 

More information about the OWASP-ESAPI mailing list